This tax season, thousands of people may feel the same joy I experienced upon receiving a large and unexpected refund check from Uncle Sam. Unfortunately, they will also experience the dismay and fear when they find out that it was fraudulent refund.
Someone had stolen one of our Social Security numbers – cyber-robbers’ modus operandi of choice these days.
Then they filed a false return claiming huge deductions against modest income in our names.
That resulted in the bogus refund check.
On YouTube, a would-be victim, above, turns the tables on an IRS phone “spoofer.” YouTube/Brandon Cox
Usually, the way this scam works is that grifters mail the big, fake refund to themselves, but somehow it ended up in our mailbox. After immediately checking with my tax planner, I sent the check back to the IRS and filed an identity theft affidavit so that the tax agency would know the refund was fake.
To thwart scammers, the agency has improved the algorithms it uses to flag discrepancies. But while effective, it is not foolproof.
And thieves are not taking a break, especially with the filing deadline moved to July 15 due to the coronavirus crisis. In fact, stay-at-home orders create a perfect storm for scammers. The heightened anxiety surrounding the crisis softens up potential victims. Not only that, the mailing out of federal coronavirus stimulus checks soon is creating new opportunities for fraud.
In many cases, cheap technology allows thieves to make millions of robocalls to housebound individuals for a few hundred dollars. So beware of “spoofing,” where a fake but official-looking name and number will appear on a caller ID. “Scammers often alter caller ID to make it look like the IRS or another agency is calling,” the IRS reports. “The callers use IRS titles and fake badge numbers to appear legitimate. They may use the victim’s name, address and other personal information to make the call sound official.”
In a common scenario, robocallers claim they are with the IRS and threaten to sue or arrest the target over unpaid tax bills. And these scams are now more than seasonal; they are happening year-round, the IRS reports.
Worried that you’ve been scammed? The IRS gives you options to report concerns. You can also file electronically and use a Personal Identification Number. The IRS will send you one for free. After I got mine – they will issue a new one every year – I haven’t had a problem with grifters.
– John F. Wasik
The extension of the filing deadline not only gives taxpayers three extra months, but also provides scammers with an extra 90 days of prime-time flim-flam. In a normal year, some 61% of tax scams are reported between January and April, according to the Better Business Bureau. All told, the IRS has logged more than 736,000 scam “contacts” since 2013, costing taxpayers some $23 million. The number is likely much higher since many cases go unreported.
In addition to robocalls, scam methods include fake IRS letterheads and addresses, emails and outright demands to pay taxes not owed. In each case, the operators are looking for quick cash or vital personal financial information. They employ “phishing” techniques to get victims to reply with Social Security or bank account numbers. Then can use that information to open up credit cards or sell it to other thieves.
How do scamsters acquire personal information and what do they do with it once they get their hands on it? Tyler Carbone, chief strategy officer of Terbium Labs, a digital risk protection firm, says one of the most prevalent ways to steal personal information is through W-2s, the basic tax forms employers use.
“Each consumer W-2 names a business and provides employer information as part of the required documentation,” Carbone notes.
“Once a fraudster finishes executing tax fraud against the consumer, there’s no reason for them to simply stop there. In possession of an employee’s name and employer information (something they can steal from employer system breaches or the dark web), they have a great opportunity to do a little research and develop a phishing campaign or business email compromise scheme to go after the employer as well – or to find ways to exploit other employees and colleagues of the original consumer.”
Like just about anything to do with fraud these days, the Internet is a thieves’ market whose shelves are well stocked with personal information.
From a site that tracks the “dark web.” DarkReading.com
On the dark web, where illicit information is openly peddled, full identity kits, called “fullz,” can be purchased for under $40, notes one site tracking the dark web. “A “fullz” for a U.S. consumer contains a person’s full name, birth date, Social Security number, address, phone number, driver’s license number, and mother’s maiden name,” notes DarkReading.com. “For an extra $10 to $25, sellers will add an individual’s credit card data, bank account data, bank security questions and answers, employer, or other critical information.”
It is, of course, illegal to sell such stolen information, but there is loads of it out there on the black market. Data breaches, unfortunately, are a fact of life these days, according to Identityforce.com, a private company that offers identity theft protection services. Hundreds of millions of records are pilfered, ranging from Dunkin Donuts perks programs to Facebook, which admitted last year it hadn’t secured the passwords for some 600 million users. With all that information out there – i.e. my Social Security number, your credit files – why isn’t the dark web shut down?
Carbone has found that with dark web sites “it is impossible to know from the hosting alone where they are hosted, or who is hosting them, so many are able to successfully operate anonymously until they are unmasked by other means.”
“Other sites are hosted on regular, open web sites,” Carbone adds. “In these cases, they are hosted outside the United States – usually in Eastern Europe, where takedown requests from U.S. entities frequently go without response.”
A W-2 form, even an old one, can be a ticket to tax fraud. IRS.gov
There’s even more to it: Some sites offer guidance on how to employ dark web information to set up income tax scams. Carbone found one site offering an instructional manual on how to file fraudulent tax returns for 2019 using fullz for $30.
“These guides,” Carbone said, “help criminals to monetize the information available on the dark web, turning already low-cost data into high profits.”
Carbone also found a site that was selling two-year-old W-2s, federal statements of income and tax withheld, which can also be used for income-tax fraud:
“This listing shows that while tax fraud may be seasonal, identity data is good all year. As long as they aren’t several years out of date, a year-old W-2 is still useful for filing fraudulent tax returns, on the assumption that an employee is still with their current employer and has roughly the same income level year to year. These tax documents go for $20 and provide a lot of flexibility for criminals to carry out tax fraud and broader identity theft.”
Yes, once your information is out there on the dark web, it can be repurposed for any number of nefarious schemes. That’s why it’s a good idea to freeze your credit files (I did) and to only use encrypted sites when doing online transactions such as banking and purchases (look for third-party certification marques or two-factor authentication). And don’t file your taxes electronically on a public Wi-Fi. These networks are not secure. Secure sites will have some kind of third-party marque indicating that transactions are protected in some way. The larger e-commerce sites now use “two-factor authentication,” where they will send you a code number to your cellphone before greenlighting a purchase. (Whenever I send or receive sensitive financial documents such as tax returns, I or my tax preparer use a third-party encryption tool that can only be opened with a code or specific personal identification number)
Since the online sites are almost always offshore and can disappear in seconds, they are beyond the reach of overburdened federal investigators probing hundreds of thousands of complaints. Justin Lavelle, communications director for BeenVerified.com, a consumer background check information company, said many of the scams are based in India. “But some are coming from Africa,” he said. “Among IRS tax scams, the IRS impersonation scam is most prevalent. They are all time-sensitive — ‘pay by a certain date or something bad will happen’ – and demand immediate payment or Social Security numbers.”
When immediate payment is demanded, though, thieves often tell victims that they need to send them gift cards or single-use debit cards. “Older folks tend to be the biggest targets, especially those on Social Security,” Lavelle said.
“It’s definitely an ongoing game of cat and mouse,” Carbone concludes.
“Law-enforcement, both U.S. and international, are constantly trying to identify the hosts of these sites. That’s why we need to take an automated approach to finding and crawling these sites, as existing markets are shut down by law-enforcement, and new ones emerge.”